Lost smartphones pose significant corporate risk

Not every user is so careful, however. A recent survey of IT security decision-makers, conducted by information management software company Sybase, found that 71 per cent of companies rely solely on their employees to secure their mobile device, even though 87 per cent of them reported usability frustrations with security features.

"It's not the device that matters here, it's the data it contains, but that tends to be forgotten," says Jörg Schneider-Simon, a mobile device security expert at Trend Micro. "In fact, I'd go so far as to say that, within some organisations, certain data shouldn't even be downloaded to a mobile device in the first place - if it's sensitive personal information about customers, for example, or intellectual property."

To counter the threat of data loss, all mobile devices should (at the very least) be password-protected and passwords should be reset regularly, says Casey. "Users may complain about this and say that it's an inconvenience, but it's also the easiest way of ensuring that unauthorised users aren't able to snoop," he says.

Smart companies, he adds, enforce passwords that include upper and lower case characters plus a number or two - and that ‘time out' after a reasonable period, typically five minutes. A longer ‘idle time' will potentially allow a thief to access and exploit contents with relative ease, while a very short time-out will require users to constantly enter their passwords - frustrating for them, and potentially useful to ‘shoulder surfers', covertly observing the process.

Encryption is vital, too, says Greg Day, security analyst with McAfee, but this presents many organisations with a dilemma: at what level should encryption be applied? "You don't want to make life too complicated for users - and complex encryption quickly develops a bad reputation with busy people on the move," he says. That said, encryption at the device level is a must-have for all organisations, he adds, while encryption at file or folder level is a decision typically made according to an individual company's appetite for, or tolerance of, security risk.

But when it comes to encryption, there are significant trade-offs to bear in mind. Full device-level encryption can hamper performance and battery life, but also means that all data is effectively protected. On the other hand, file or folder-level encryption is less processing-intensive, certainly, but requires a complex process of data classification to ensure that sensitive data is encrypted while other data is not.

Back-end threat
Safeguarding data stored on the device itself is only the start of a successful smartphone security strategy, however. Increasingly, there's also the data held on back-end enterprise systems to consider. This kind of information is now accessed by smartphones as well as laptops on a regular basis, and this is why a number of mobile device manufacturers have started to incorporate support for virtual private networks (VPNs) in their enterprise-class products.

There's good reason for that: to many organisations, the prospect of users hopping onto a WiFi hotspot at their local coffee shop is unacceptable, whatever device they adopt. Working with VPNs that require users to authenticate and connect to back-end through secure tunnels protects sensitive data in transit.